Two 14-year-old Canadians hacked a Bank of Montreal ATM after finding an operator's manual online. The manual showed how to gain administrative control of the device, according to a media report published over the weekend.

When Matthew Hewlett and Caleb Turon tested the instructions against an ATM at a nearby supermarket, the ninth graders didn't expect them to work, The Winnipeg Sunreported Sunday. To their surprise, the machine quickly prompted them for a password. Even more surprising, their first guess—a six-character password that's common among default settings—let them in. The boys then reported their lunch-hour caper to bank employees, who at first thought the duo had merely acquired the PINs of an ATM customer.

"So we both went back to the ATM and I got into the operator mode again," Hewlett said. "Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent."

Graciously, the bank officials typed a letter on bank letterhead asking the boys' school to excuse their tardiness. The note was remarkable. Under US laws, and most likely under Canadian law as well, the unauthorized access of an ATM is a violation of a variety of statutes, regardless of the intentions or ages of those who do it.

Whitehat hackers who discover vulnerabilities are advised to never break in to a computer or network they don't legally own unless getting permission in writing first. In the most extreme cases, a single conviction under the Computer Fraud and Abuse Act and statutes protecting banks and ATMs can result in a prison sentence of 20 years and stiff fines. Other would-be hackers should consider this outcome a fluke rather than the norm.

Promoted Comments

Good on Ars on putting the YMMV disclaimer, because really the chances of something like this happening ever again, especially south of the Canadian Border, is slim to none.

I personally inadvertently found an exploit of my school's password reset system when trying to figure out my password. Put the breaks on completing enrollment, conferences in my advisor, their manager, and a director of IT. Was vary vague until I conveyed just enough information to convey the severity of the issue, prompting the IT director to suspend the call and call me back. After about 20 minutes, we discussed the issue, the vulnerability, and the fact it would take some time to complete any sort of upgrade to fix. He laughed and said "Well, considering you're going to us a IT degree with an emphasis on this sort of thing, personally I think they should wave your tuition for a year but I'm not able to do that."

Hmm... Common six letter password that would come with a device... "123456"?

Good chance it was a Diebold ATM. Default supervisor password is 000000 and from my experience, LOTS of banks and credit unions don't change that password. Now that's just the standard supervisor mode password which will allow you to pull most of that information and set a few settings.

You can actually boot most ATMs into windows but will require physical access to the ATM and to plug in a keyboard but once again, the default password isn't usually changed, and while longer is not all that complex, think 'abcdefghijk12345689'. Now that's for Diebold's. NCR, the other major manufacture here in the US (Wincore is much larger in Europe, but not sure about Canada) doesn't even have a supervisor level password, but does require physical access to the machine, like the back side. Also things like what tray has what bank notes are sent down from the processing network on boot, so can't be changed locally.

Now all of that information is based on the larger Kiosk based ATMs like a drive up model, not the small little kiosk ones that you'd see in a bar or in a convenience store. They run the same software but usually are on a dialup connection or even a wireless connection and function differently. Their configuration load is saved locally, not pushed via their processing network. These were also the type that were being reprogrammed in the mid 00's so that the ATM would think the 20's were 5's and just spit out way too much cash.

Sadly there is no law to fine them for not changing the passwords from the default.2 14 yr olds got a manual from online... makes you wonder if they were the first or just the ones that had no ill intentions.

That went remarkably better for the kids than I expected. Even if it seems fairly clearly the "right thing" to do in this case, given both their ages and huge amounts of transparency and forthrightness, it simply can't ever be expected that an organization is going to react this... nicely.

Even if you think you are doing something positive, and even if you think you are doing it in a good way, always get permission first, and if you can't get permission, walk away from it or notify an organization empowered to oversee the issue (and then walk away from it). Too many things spiral out of control when they didn't need to based on people who believe they have good intentions and the resulting reactions. Even if you think you're right, not everyone is going to see things in the same light that you do: not everyone has your perspective.

Definitely a case of some kids finding the info, then saying to themselves "wouldn't it be ridiculous if this is all someone needed to hack an ATM? Let's find out." Good for them that they went straight to the branch to notify them, even though hacking the ATM was illegal regardless. And good for the bank that they reacted in a reasonable manner.

That reminds me of the Canadian math teacher that noticed a patter in scratch in win tickets that let him spot winners. Instead of making millions, he told the company. Who sued him. From this I learned, if I ever have a chance like that, don't tell anyone. Ever. And if it isn't illegal, get myself damn rich, since the company will just screw me over if I try and be good.

Now... this is one of those cases where the definition of "hacked" has to come into play. Is it really "hacking" if they used information freely available by the manufacturer? I mean, it's definitely gaining unauthorized access, but it's not like they were bypassing security or anything.

That bank should be ashamed that they were using the default password. That's somewhat mitigated by the fact that they were so decent about handling the situation with the kids (assuming that the corporate overlords don't decide to press charges later...)

I remember when I was younger we were on a class trip and we figured out how to hack a soda machine and change the cost of the sodas. These global, default log ins are just asking for trouble. They should require some kind of key fob to be plugged in or something at the very least.

I'm glad to see the kids weren't punished; however, it was still a profoundly stupid thing for them to do. Cheers to the Bank of Montreal for reacting in the best way possible.

I suspect that they did the smart thing, by approaching a branch manager.

Canadian banks seem to be very customer service oriented. (Of course it is a strategy to convince consumers to spend more on their products, but that is beside the point.) As a result, the people who work in a branch are very approachable and they tend to take things in stride. I suspect that phoning the bank and trying the reach the "right person" would have had a very different outcome. The right person would likely have been far more concerned with the bank's security and the bank's image.

Then again, I could be wrong about higher ups. I have filed complaints with Canadian corporations and have received apologies directly from the people involved (i.e. not a form letter from the department handling complaints.)

Unfortunately, in the US the only safe thing is to never tell if you can break in - You are automatically assumed to be an evil hacker up to no good even if you tell them what you did, and did not take any money or download any data. - That's one reason so many hackers get away with it - the white hats are being persecuted for being white hats. So they don't tell when they do find a vulnerability. If the banks and other companies would offer rewards for white hats to find and report the vulnerabilities, then they could patch them before the real criminals get to them.

Although I agree they handled this well after the fact (probably because the bank managers were smart enough to realize that the press was going to be bad, let's not make it worse), it doesn't excuse an international bank from having such lackadaisical discipline over the security of their ATMs. I might expect this kind of thing from a sketchy off-brand ATM in a bar, not one with a bank's name on it.

I could be wrong, but a lot of legal action doesn't necessarily result from pulling a manager aside and disclosing an issue.

It results from one of 2 things.

A.) The person uses the exploit themselves to "make an example" out of the company

B.) The person widely discloses the vulnerability, before the company affected has any real chance to react.

There have been more than a few cases of people disclosing vulns they didn't have prior permission to be seeking and having the FBI/etc called on them. They're rarely prosecuted but it's still a situation where they technically could be and where the entire thing can become a huge problem.

One thing that I think stands heavily in favor of these kids is how this was not a 0-day exploit: it was just using the operator's manual and an apparently default password. When they say they didn't expect it to work, it's imminently believable, since it shouldn't have, and they followed that with immediate disclosure... which in this case is also good, because they were [presumably] on camera while doing this, and I would assume it logs the time of access, which probably would have raised some flags and been associable with that camera footage.

Quote:

Let's not give false equivalence to those who got charged for irresponsible disclosure, and people being civil in their own disclosure.

At least in the case of what I said previously, *I'm* not. I think many people who make really stupid decisions about disclosure think they're doing "the right thing," though. In terms of the perspectives of the people disclosing, they all believe they're disclosing in a moral or at least excusable way. So rather than tell people "don't be unethical" you need to start off with "slow down," because a lot of the unethical things people do they feel morally justified in doing. And being ethical isn't a CYA if the other party reacts poorly because THEY panic, and have no reason to trust you (they don't know you, why would they?).

That went remarkably better for the kids than I expected. Even if it seems fairly clearly the "right thing" to do in this case, given both their ages and huge amounts of transparency and forthrightness, it simply can't ever be expected that an organization is going to react this... nicely.

Even if you think you are doing something positive, and even if you think you are doing it in a good way, always get permission first, and if you can't get permission, walk away from it or notify an organization empowered to oversee the issue (and then walk away from it). Too many things spiral out of control when they didn't need to based on people who believe they have good intentions and the resulting reactions. Even if you think you're right, not everyone is going to see things in the same light that you do: not everyone has your perspective.

While probably true, it is a sign that there is something seriously broken when the sound advice you give to a teenager amounts to "You didn't do anything wrong; that doesn't matter. Don't be honest; lawyer up immediately."

I'm glad to see the kids weren't punished; however, it was still a profoundly stupid thing for them to do. Cheers to the Bank of Montreal for reacting in the best way possible.

I don't think it's profoundly stupid, 14 is an age where one is testing boundaries and still learning how to function as an adult in society. In fact, I would argue that this behavior shows extreme signs of intelligence as well as solid moral character. I think this is a good example of children showing gifted behavior in an area like using your available resources to test and probe things most people take for granted. Stuff like this translates well to IT security which is in need of people who are smart and well trained.

Canadian banks seem to be very customer service oriented. (Of course it is a strategy to convince consumers to spend more on their products, but that is beside the point.) As a result, the people who work in a branch are very approachable and they tend to take things in stride. I suspect that phoning the bank and trying the reach the "right person" would have had a very different outcome. The right person would likely have been far more concerned with the bank's security and the bank's image.

I remember a Daily Show segment (maybe last year, maybe with Jason Jones?) where they examined Canadian banks and how completely different they are from their American counterparts. They asked people what words they associate with bankers and they responded with things like "honest" and "trustworthy".

Nonetheless, it's always extremely refreshing and gratifying to see someone reward inquisitive kids who do the right thing rather than punishing them.

Ars has spoken at some length about the perils of password security, and I'm convinced now that as long as we have passwords, we're never going to have GOOD passwords from a majority of users. I read Surely You're Joking, Mr. Feynman a couple of years back and the chapter on safecracking was illuminating -- the issue of people spending ridiculous amounts of money on high-security systems and then leaving them set on the default security code significantly predates computer logins. If people haven't learned better in the past 60 years, I don't see any reason why they'll learn better now.

OT:Ahh default passwords. It's crazy how often default password are left in place. Case in point - AT&T. Not too sure if they still do this, but it was pretty well know that for a very long period of time, if you had an AT&T T1-DS3, and were using their MIS, IPFLEX or MPLS services, the router they use almost certainly had the default password. And these where the routers that were managed by AT&T, so you weren't legally allowed to touch them.

And they'd leave telnst open, on the WAN side (for their management). It's pretty freaking easy to find the default username and password for a Cisco 2690 [EDIT: 2690 is a switch, 2911 I think is the router I am thinking of) - . And that would get you into privileged mode as well/

Good on Ars on putting the YMMV disclaimer, because really the chances of something like this happening ever again, especially south of the Canadian Border, is slim to none.

I personally inadvertently found an exploit of my school's password reset system when trying to figure out my password. Put the breaks on completing enrollment, conferences in my advisor, their manager, and a director of IT. Was vary vague until I conveyed just enough information to convey the severity of the issue, prompting the IT director to suspend the call and call me back. After about 20 minutes, we discussed the issue, the vulnerability, and the fact it would take some time to complete any sort of upgrade to fix. He laughed and said "Well, considering you're going to us a IT degree with an emphasis on this sort of thing, personally I think they should wave your tuition for a year but I'm not able to do that."

Hmm... Common six letter password that would come with a device... "123456"?

Good chance it was a Diebold ATM. Default supervisor password is 000000 and from my experience, LOTS of banks and credit unions don't change that password. Now that's just the standard supervisor mode password which will allow you to pull most of that information and set a few settings.

You can actually boot most ATMs into windows but will require physical access to the ATM and to plug in a keyboard but once again, the default password isn't usually changed, and while longer is not all that complex, think 'abcdefghijk12345689'. Now that's for Diebold's. NCR, the other major manufacture here in the US (Wincore is much larger in Europe, but not sure about Canada) doesn't even have a supervisor level password, but does require physical access to the machine, like the back side. Also things like what tray has what bank notes are sent down from the processing network on boot, so can't be changed locally.

Now all of that information is based on the larger Kiosk based ATMs like a drive up model, not the small little kiosk ones that you'd see in a bar or in a convenience store. They run the same software but usually are on a dialup connection or even a wireless connection and function differently. Their configuration load is saved locally, not pushed via their processing network. These were also the type that were being reprogrammed in the mid 00's so that the ATM would think the 20's were 5's and just spit out way too much cash.

Under US laws, and most likely under Canadian law as well, the unauthorized access of an ATM is a violation of a variety of statutes, regardless of the intentions or ages of those who do it.

I don't know about Canada, but that's not actually a true statement regarding US law. The relevant statute, 18 USC 1030, the CFAA lists a hodgepodge of required mental states and required acts. If you act "with intent," which under the meaning of criminal law these teens were, the broadest act is "obtaining information."

"Hey look, we have access," isn't going to be sufficient. Printing the transactions almost certainly would be enough, but if a bank rep is watching over your shoulder, that going to be authorized access.